Seminars & Colloquia
University of California, Davis
"Techniques and Tools for Engineering Secure Web Applications"
Tuesday March 11, 2008 09:30 AM
Location: 3211, EB2 NCSU Centennial Campus
(Visitor parking instructions)
In this talk, I will present a general characterization of these classes of input validation-based vulnerabilities and a set of dynamic and static techniques to detect and prevent XSS and SQL injection attacks. Programmers usually do not specify their intentions explicitly regarding SQL query construction, but I will show how we can use principled techniques to characterize programmer intentions. We can then prevent attack queries from being sent to the database with a low-overhead, runtime check that precisely distinguishes legitimate queries from attacks. In order to help find bugs early in the software development process, I also pursued static analysis, and I will describe a sound and precise analysis that scales to large, real-world web applications and found known and unknown SQL injection vulnerabilities. I will further present how we extended this static analysis to the related but more difficult problem of XSS. I will conclude this talk by discussing future challenges in this domain.
Host: Peng Ning, Computer Science, NCSU